From db9f42c46c1c1966a3dd71bf3b9e3bf76ff04e6d Mon Sep 17 00:00:00 2001
From: Simo Sorce <simo@redhat.com>
Date: Thu, 26 Mar 2015 16:37:45 -0400
Subject: [PATCH] Fix saving delegated credentials for SPNs

---
 ...al-name-to-remove-the-path-separator.patch | 90 +++++++++++++++++++
 mod_auth_gssapi.spec                          |  9 +-
 2 files changed, 97 insertions(+), 2 deletions(-)
 create mode 100644 0001-Escape-principal-name-to-remove-the-path-separator.patch

diff --git a/0001-Escape-principal-name-to-remove-the-path-separator.patch b/0001-Escape-principal-name-to-remove-the-path-separator.patch
new file mode 100644
index 0000000..b33e1cc
--- /dev/null
+++ b/0001-Escape-principal-name-to-remove-the-path-separator.patch
@@ -0,0 +1,90 @@
+From 286e3dac69c3d4b32db93de1f9937f434383588f Mon Sep 17 00:00:00 2001
+From: Simo Sorce <simo@redhat.com>
+Date: Thu, 26 Mar 2015 16:30:56 -0400
+Subject: [PATCH] Escape principal name to remove the path separator
+
+The principla name is used as a file name, any embedded path separators
+are going to cause trouble if used in the file name, so we need to escape
+them away. Usee ~ as the escape chracter (~~ to escape ~ itself)
+
+Fixes #14
+---
+ src/mod_auth_gssapi.c | 54 ++++++++++++++++++++++++++++++++++++++++++++++++++-
+ 1 file changed, 53 insertions(+), 1 deletion(-)
+
+diff --git a/src/mod_auth_gssapi.c b/src/mod_auth_gssapi.c
+index 4f21123a4caa56d748307055be73099cc9a63dc0..c7881bf9e149bb190ad73741250d94541abfd0e8 100644
+--- a/src/mod_auth_gssapi.c
++++ b/src/mod_auth_gssapi.c
+@@ -119,6 +119,48 @@ static bool mag_conn_is_https(conn_rec *c)
+     return false;
+ }
+ 
++static char *escape(apr_pool_t *pool, const char *name,
++                    char find, const char *replace)
++{
++    char *escaped = NULL;
++    char *namecopy;
++    char *n;
++    char *p;
++
++    namecopy = apr_pstrdup(pool, name);
++    if (!namecopy) goto done;
++
++    p = strchr(namecopy, find);
++    if (!p) return namecopy;
++
++    /* first segment */
++    n = namecopy;
++    while (p) {
++        /* terminate previous segment */
++        *p = '\0';
++        if (escaped) {
++            escaped = apr_pstrcat(pool, escaped, n, replace, NULL);
++        } else {
++            escaped = apr_pstrcat(pool, n, replace, NULL);
++        }
++        if (!escaped) goto done;
++        /* move to next segment */
++        n = p + 1;
++        p = strchr(n, find);
++    }
++    /* append last segment if any */
++    if (*n) {
++        escaped = apr_pstrcat(pool, escaped, n, NULL);
++    }
++
++done:
++    if (!escaped) {
++        ap_log_error(APLOG_MARK, APLOG_ERR|APLOG_NOERRNO, 0, NULL,
++                     "OOM escaping name");
++    }
++    return escaped;
++}
++
+ static void mag_store_deleg_creds(request_rec *req,
+                                   char *dir, char *clientname,
+                                   gss_cred_id_t delegated_cred,
+@@ -128,8 +170,18 @@ static void mag_store_deleg_creds(request_rec *req,
+     gss_key_value_set_desc store;
+     char *value;
+     uint32_t maj, min;
++    char *escaped;
+ 
+-    value = apr_psprintf(req->pool, "FILE:%s/%s", dir, clientname);
++    /* We need to escape away '/', we can't have path separators in
++     * a ccache file name */
++    /* first double escape the esacping char (~) if any */
++    escaped = escape(req->pool, clientname, '~', "~~");
++    if (!escaped) return;
++    /* then escape away the separator (/) if any */
++    escaped = escape(req->pool, escaped, '/', "~");
++    if (!escaped) return;
++
++    value = apr_psprintf(req->pool, "FILE:%s/%s", dir, escaped);
+     if (!value) {
+         ap_log_error(APLOG_MARK, APLOG_ERR|APLOG_NOERRNO, 0, NULL,
+                      "OOM storing delegated credentials");
+-- 
+2.1.0
+
diff --git a/mod_auth_gssapi.spec b/mod_auth_gssapi.spec
index e92fea6..4766d23 100644
--- a/mod_auth_gssapi.spec
+++ b/mod_auth_gssapi.spec
@@ -1,6 +1,6 @@
 Name:           mod_auth_gssapi
 Version:        1.1.0
-Release:        1%{?dist}
+Release:        2%{?dist}
 Summary:        A GSSAPI Authentication module for Apache
 
 Group:          System Environment/Daemons
@@ -12,13 +12,15 @@ BuildRequires:  httpd-devel, krb5-devel, openssl-devel, autoconf, automake, libt
 Requires:       httpd-mmn = %{_httpd_mmn}
 Requires:       krb5-libs >= 1.11.5
 
+Patch01: 0001-Escape-principal-name-to-remove-the-path-separator.patch
+
 %description
 The mod_auth_gssapi module is an authentication service that implements the
 SPNEGO based HTTP Authentication protocol defined in RFC4559.
 
 %prep
 %setup -q
-
+%patch01 -p1
 
 %build
 export APXS=%{_httpd_apxs}
@@ -44,6 +46,9 @@ install -m 644 10-auth_gssapi.conf %{buildroot}%{_httpd_modconfdir}
 %{_httpd_moddir}/mod_auth_gssapi.so
 
 %changelog
+* Thu Mar 26 2015 Simo Sorce <simo@redhat.com> 1.1.0-2
+- Fix saving delegated credentials for SPNs
+
 * Thu Mar 12 2015 Simo Sorce <simo@redhat.com> 1.1.0-1
 - New minor release 1.1.0
 - New feature: Basic Auth support